The Security Ledgerhttps://securityledger.com
The Security Ledger: Cyber Security News & Analysis for The Internet of ThingsWed, 20 Feb 2019 18:13:26 +0000en-UShourly1https://wordpress.org/?v=5.0.3https://users.feedblitz.com/39173e80c9ae7350c9ced832a0a7673a/SLprofile%20-FB.jpgThe Security Ledgerhttps://securityledger.com
Paul F. RobertscleanepisodicPaul F. Robertspaul@securityledger.compaul@securityledger.com (Paul F. Roberts)Security Ledger Editor in Chief Paul Roberts interviews the top minds in the cyber security space.The Security Ledgerhttps://securityledger.com/wp-content/uploads/powerpress/Podcast_Logo_1400x1400_copy.jpghttps://securityledger.com
paul@securityledger.comEvery week, the Security Ledger Podcast brings you interviews with the top minds in the field of information security. Hosted by Security Ledger founder and Editor in Chief Paul Roberts, the Podcast digs deep into the cyber security issues that affect you today and will shape our world for years to come. If you're interested in cyber security, this is a must-listen podcast. 39499104https://securityledger.com/2019/02/podcast-episode-134-the-deep-fake-threat-to-authentication-and-analyzing-the-pear-compromise/Podcast Episode 134: The Deep Fake Threat to Authentication and analyzing the PEAR Compromisehttps://feeds.feedblitz.com/~/598068876/0/thesecurityledger~Podcast-Episode-The-Deep-Fake-Threat-to-Authentication-and-analyzing-the-PEAR-Compromise/
https://feeds.feedblitz.com/~/598068876/0/thesecurityledger~Podcast-Episode-The-Deep-Fake-Threat-to-Authentication-and-analyzing-the-PEAR-Compromise/#respondTue, 19 Feb 2019 13:23:56 +0000https://securityledger.com/?p=472476 Vijay Balasubramaniyan of Pindrop joins us to talk about it. And, in our second segment, Sam Bisbee the CSO of the firm ThreatStack joins us to talk about last month's hack of the PEAR open source package manager and why data deserialization attacks are a growing threat to projects that use open source components.

]]>
https://feeds.feedblitz.com/~/598068876/0/thesecurityledger~Podcast-Episode-The-Deep-Fake-Threat-to-Authentication-and-analyzing-the-PEAR-Compromise/feed/0Vijay Balasubramaniyan of Pindrop joins us to talk about it. And, in our second segment, Sam Bisbee the CSO of the firm ThreatStack joins us to talk about last month's hack of the PEAR open source package manager and why data deserialization attacks ar...
In this week’s episode, #134: deep fakes aren’t just a problem for celebrities. They risk undermining a range of voice and image based authentication technologies. Vijay Balasubramaniyan of Pindrop joins us to talk about it. And, in our second segment, Sam Bisbee the CSO of the firm ThreatStack joins us to talk about last month’s hack of the PEAR open source package manager and why data deserialization attacks are a growing threat to projects that use open source components.

The Deep Fake Threat to Authentication

The world has adapted itself – albeit unhappily- to a U.S President accustomed to making outrageous or factually inaccurate statements. But what if even the most temperate and measured leader could be made to say outrageous and inflammatory things? How destabilizing might that be to societies and economies? That’s the risk posed by so-called “deep fake” audio and video, which use advancements in deep learning – a kind of artificial intelligence – to seamlessly manipulate both audio and video content, producing real-seeming forgeries.

So-called “deep fake” audio and video may complicate biometric authentication schemes in years to come warns Vijay Balasubramaniyan of the firm Pindrop.

Thus far, deep fakes have been the fodder of celebrity pornography sites and academic conference demonstrations. But experts like our first guest, Vijay Balasubramaniyan of the firm PinDrop, say that deep fakes are almost certain to become more common and pose risks not just to social stability, but also to a wide variety of image and voice based authentication technologies.

In our first segment, Vijay and I talk about the evolution of deep fakes and the risk posed by convincing audio counterfeits.

Data Deserialization and Open Source Risk

In January, the maintainers at the PEAR took down their official website (pear-php.net) after they found that someone has replaced the original PHP PEAR package manager (go-pear.phar) with a modified and malicious version in the core PEAR file system.

PEAR developers suspected that the website had been serving the installation file contaminated with the malicious code to download for at least half a year. But how did the attack happen? One theory: that attackers used a so-called “data deserialization” attack.

In our second segment, we’re joined by Sam Bisbee of the firm Threatstack to talk about the PEAR compromise and why data deserialization attacks are a growing threat to development organizations.

In our conversation, Bisbee notes that data deserialization and similar attacks rely on the fact that developers in fast moving environments take for granted the integrity of tools like the PEAR package managers.

“Developers aren’t typically going in and opening up and trying to understand how their package manager works or what third party dependencies are that they’re pulling in because they want to just use them and not have to t...]]>Paul F. Robertsclean41:11472476http://media.blubrry.com/the_security_ledger_podcasts/content.blubrry.com/the_security_ledger_podcasts/Episode_134_Deep_Fakes_and_Open_Source_Compromises.mp3 Vijay Balasubramaniyan of Pindrop joins us to talk about it. And, in our second segment, Sam Bisbee the CSO of the firm ThreatStack joins us to talk about last month's hack of the PEAR open source package manager and why data deserialization attacks are a growing threat to projects that use open source components.

Related Stories

]]>
https://securityledger.com/2019/02/podcast-episode-133-quantum-computings-security-challenge-and-life-after-passwords/Podcast Episode 133: Quantum Computing’s Security Challenge and Life After Passwordshttps://feeds.feedblitz.com/~/596898040/0/thesecurityledger~Podcast-Episode-Quantum-Computings-Security-Challenge-and-Life-After-Passwords/
https://feeds.feedblitz.com/~/596898040/0/thesecurityledger~Podcast-Episode-Quantum-Computings-Security-Challenge-and-Life-After-Passwords/#commentsWed, 13 Feb 2019 03:41:10 +0000https://securityledger.com/?p=472365The arrival of functional quantum computers may be closer than you think. I'm joined by Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research to talk about coming quantum revolution and what it means for security.

]]>
https://feeds.feedblitz.com/~/596898040/0/thesecurityledger~Podcast-Episode-Quantum-Computings-Security-Challenge-and-Life-After-Passwords/feed/2The arrival of functional quantum computers may be closer than you think. I'm joined by Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research to talk abou...
In this week’s episode of the podcast (#133): the arrival of functional quantum computers may be closer than you think. I’m joined by Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research to talk about coming quantum revolution and what it means for security. Also: what will it really take for consumers and businesses to ditch the user name and password? This week we’re kicking of a series on the future of passwords and authentication with George Avetisov, the CEO of the startup HYPR.

Quantum’s Security Challenge

Quantum computers sound like the stuff of science fiction: with the zeros and ones that are the foundation of modern computing giving way to ethereal qubits that can be either zero or one or both at the same time as well as everything in between.

Brian LaMacchia is a Microsoft Corporation Distinguished Engineer and heads the Security and Cryptography team within Microsoft Research (MSR) where he works on the development of quantum-resistant public-key cryptographic algorithms and protocols.

One small step in that direction happened this week, as Microsoft teamed with the certificate authority DigiCert and the firm Utimaco, announcing a successful test implementation of a Microsoft-developed algorithm known as “Picnic” which can create quantum-safe digital certificates used to encrypt, authenticate and provide integrity for connected devices commonly referred to as the Internet of Things (IoT). Though still in development, the companies say that Picnic will protect IoT devices from future threats quantum computing could pose to today’s widely used cryptographic algorithms.

To understand more about the problem that the advent of quantum computing poses for the security of the Internet and the Internet of things, we sat down with Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research, and an inventor of the Picnic algorithm to talk about the coming quantum revolution and what it means for security.

Life after passwords

In just the last month, hundreds of millions of user names and passwords have been exposed by researchers: the contents of online compendiums known as collections 1 through 5. They’re the fruits of data breaches and hacks going back years, and they are a useful tool to cyber criminals who can carry out credential stuffing attacks against a wide range of sites.

George Avetisov is Cofounder and Chief Executive Officer of HYPR

The password problem gets even worse when you think about the...]]>Paul F. Robertsclean41:27472365http://media.blubrry.com/the_security_ledger_podcasts/content.blubrry.com/the_security_ledger_podcasts/Episode_133-Protecting_Data_in_a_Quantum_Computing_Era_and_How_We_Finally_Say_Good_Bye_to_the_Password.mp3The arrival of functional quantum computers may be closer than you think. I'm joined by Avesta Hojjati, Head of DigiCert Labs and Brian LaMacchia, Distinguished Engineer and Head of the Security and Cryptography Group at Microsoft Research to talk about coming quantum revolution and what it means for security.

]]>
https://securityledger.com/2019/02/in-granite-state-industry-groups-paint-dark-picture-of-right-to-repair/In Granite State: Industry Groups Paint Dark Picture of Right to Repairhttps://feeds.feedblitz.com/~/596573590/0/thesecurityledger~In-Granite-State-Industry-Groups-Paint-Dark-Picture-of-Right-to-Repair/
https://feeds.feedblitz.com/~/596573590/0/thesecurityledger~In-Granite-State-Industry-Groups-Paint-Dark-Picture-of-Right-to-Repair/#commentsMon, 11 Feb 2019 13:28:40 +0000https://securityledger.com/?p=472300The battle lines were drawn at a hearing in New Hampshire last week for a proposed right to repair law, with supporters calling for economic justice for consumers and opponents warning of crime and injury should the law pass.

]]>
https://feeds.feedblitz.com/~/596573590/0/thesecurityledger~In-Granite-State-Industry-Groups-Paint-Dark-Picture-of-Right-to-Repair/feed/2472300The battle lines were drawn at a hearing in New Hampshire last week for a proposed right to repair law, with supporters calling for economic justice for consumers and opponents warning of crime and injury should the law pass.

]]>
https://securityledger.com/2019/02/four-signs-youre-ready-for-a-virtual-ciso/Four Signs You’re Ready for a Virtual CISOhttps://feeds.feedblitz.com/~/596214908/0/thesecurityledger~Four-Signs-Youre-Ready-for-a-Virtual-CISO/
https://feeds.feedblitz.com/~/596214908/0/thesecurityledger~Four-Signs-Youre-Ready-for-a-Virtual-CISO/#respondFri, 08 Feb 2019 15:17:16 +0000https://securityledger.com/?p=472297A virtual Chief Information Security Officer (or vCISO) can be a great resource to a company. But how do you know when your company is ready for one? Rob Black of Fractional CISO shares four telltale signs to watch for.

Related Stories

]]>
https://feeds.feedblitz.com/~/596214908/0/thesecurityledger~Four-Signs-Youre-Ready-for-a-Virtual-CISO/feed/0472297A virtual Chief Information Security Officer (or vCISO) can be a great resource to a company. But how do you know when your company is ready for one? Rob Black of Fractional CISO shares four telltale signs to watch for.

Related Stories

]]>
https://securityledger.com/2019/02/government-private-sector-unprepared-for-21st-century-cyber-warfare/Government, Private Sector Unprepared for 21st Century Cyber Warfarehttps://feeds.feedblitz.com/~/596014490/0/thesecurityledger~Government-Private-Sector-Unprepared-for-st-Century-Cyber-Warfare/
https://feeds.feedblitz.com/~/596014490/0/thesecurityledger~Government-Private-Sector-Unprepared-for-st-Century-Cyber-Warfare/#respondThu, 07 Feb 2019 14:25:20 +0000https://securityledger.com/?p=472268U.S. government agencies and businesses are largely unprepared for a major cyber attack from state-sponsored actors, and must prepare now, according to a report by key governmental-focused think tanks.

Related Stories

]]>
https://feeds.feedblitz.com/~/596014490/0/thesecurityledger~Government-Private-Sector-Unprepared-for-st-Century-Cyber-Warfare/feed/0472268U.S. government agencies and businesses are largely unprepared for a major cyber attack from state-sponsored actors, and must prepare now, according to a report by key governmental-focused think tanks.